Any person can contact your company at any time and ask: "What data do you hold about me and what do you do with it?". This apparently simple question activates the right of access recognised in Article 15 of Regulation (EU) 2016/679 (GDPR — General Data Protection Regulation) and obliges the organisation to respond fully, free of charge and within a legal deadline that admits no unjustified delays. Handling these requests properly is not just a matter of compliance: it is also a signal of professionalism and trustworthiness towards clients, employees and suppliers.
This article explains, step by step, how to respond to a data access request: from verifying the identity of the requester to drafting the response, covering the deadlines set out in Article 12.3 of the GDPR, the free-of-charge rule and the limits the regulation allows when dealing with manifestly unfounded or excessive requests.
What is the right of access under the GDPR?
Article 15 of the GDPR regulates the data subject's right of access. Under this right, any natural person is entitled to obtain from the controller confirmation as to whether or not personal data concerning them are being processed and, where that is the case, access to the data and the following information:
- The purposes of the processing.
- The categories of personal data concerned.
- The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations.
- The envisaged retention period or, if that is not possible, the criteria used to determine it.
- The existence of the right to request rectification, erasure or restriction of processing, and to object to processing.
- The right to lodge a complaint with the Spanish Data Protection Agency (AEPD — Agencia Española de Protección de Datos).
- Where the data have not been collected directly from the data subject, any available information as to their source.
- The existence of automated decision-making, including profiling as referred to in Article 22(1) and (4), and, in those cases, meaningful information about the logic involved as well as the significance and envisaged consequences of such processing.
The controller must also provide, where requested, a copy of the personal data undergoing processing (art. 15.3 GDPR). This copy shall be provided in electronic form where the request is made by electronic means, unless the data subject requests otherwise.
The procedure for handling data subject rights is one of the cornerstones of any GDPR compliance programme. Without a defined response channel, it is virtually impossible to manage these requests within the deadlines required by law.
First step: verify the identity of the requester
Before responding to an access request, the company must ensure that the person submitting it is really who they claim to be. Article 12.6 of the GDPR allows the controller to request additional information to confirm the requester's identity where there are reasonable doubts about it. This is not an optional formality: disclosing data to someone impersonating another person is itself a security breach.
However, verification must be proportionate. It is not acceptable to demand disproportionate documentation to exercise a basic right. Best practices recommended by the AEPD in its rights guide include:
- For requests from customers with an active account: confirm using information already held by the company (order number, registered email address, etc.).
- For requests from employees: verify through the usual internal channels.
- Where there are reasonable doubts: request a copy of a national ID card or other official identity document, bearing in mind that such a document is itself personal data and must not be retained beyond what is necessary for verification purposes.
The time that elapses while identity confirmation is awaited does not count towards the one-month deadline, provided that the request for additional information is made without undue delay. This must be documented.
Response deadline: the one-month rule under Article 12.3 of the GDPR
Article 12.3 of the GDPR states that the controller must provide the requested information without undue delay and at the latest within one month of receipt of the request. Where requests are complex or numerous, this period may be extended by a further two months, provided the data subject is informed before the initial one-month period expires, along with the reasons for the extension.
If the controller decides not to act, it must also communicate this to the data subject within one month, stating the reasons and informing them of their right to lodge a complaint with the AEPD and to seek judicial remedies.
| Scenario | Deadline | Additional requirement |
|---|---|---|
| Standard request | 1 month from receipt | None |
| Complex or multiple request | Up to 3 months from receipt | Inform the data subject of the extension and the reasons before the first month expires |
| Decision not to act | 1 month from receipt | Communicate reasons and right to complain to the AEPD |
| Identity verification pending | Deadline suspended | Request for proof of identity without undue delay |
The deadline is calculated in calendar months, not working days. A request received on 10 January must be answered by 10 February at the latest (or 10 April if the extension is applied).
Free of charge and exceptions: manifestly unfounded or excessive requests
The general rule is clear: the exercise of the right of access is free of charge (art. 12.5 GDPR). Data subjects cannot be charged for the ordinary processing of their request or for the copy of their data.
However, the same Article 12.5 provides two exceptions for requests that are manifestly unfounded or excessive, in particular because of their repetitive nature:
- The controller may charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested.
- The controller may refuse to act on the request.
In both cases, the controller bears the burden of demonstrating that the request is manifestly unfounded or excessive. This exception does not apply automatically and cannot be used as a defensive mechanism against any inconvenient request. The AEPD requires that the reasons why a specific request deserves that classification are properly justified and documented.
In practice, a repetitive request might be one from the same data subject who, within the space of a few months, submits several identical access requests without any changes having occurred in the data being processed. Even in such a case, the company must assess whether there is a legitimate reason behind the repetition before applying the exception.
What the response must include
The response to an access request must be comprehensive, intelligible and in writing. Article 12.1 of the GDPR requires that information be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language, especially where information is addressed to a child.
A well-structured response should include the following sections:
- Confirmation of whether data about the requester are being processed and, where they are not, an express statement to that effect.
- Categories of personal data processed: name, contact details, contractual data, browsing data, etc., based on what the company actually holds.
- Purposes and legal bases of processing for each category.
- Recipients: processors, third-party recipients, international transfers where applicable.
- Retention period or criteria for determining it.
- Information on other rights: rectification, erasure, restriction, objection, portability and the right to withdraw consent.
- Right to lodge a complaint with the AEPD (art. 77 GDPR).
- Where applicable, information on automated decision-making logic.
- Copy of the data, where expressly requested.
The response should be sent via a channel equivalent to the one used by the requester. If the request was received by email, the response may be sent to the same address. If it was received by post, the response may likewise be sent by post, unless the data subject indicates a preference for another channel.
Handling requests submitted by representatives or third parties
Where an access request is submitted by a legal representative — for example, a parent acting on behalf of a minor, or a solicitor acting on behalf of a client — the company must verify the identity of both the person represented and the representative, as well as the validity of the power of representation.
This is particularly relevant in environments involving sensitive data: a clinic receiving an access request for a patient's medical history through a supposed close family member must exercise particular care, given that health data are a special category protected under Article 9 of the GDPR.
When in doubt, it is preferable to request documentary proof and document the diligence applied, rather than disclose data to someone who is not authorised to receive them.
The role of the Record of Processing Activities in the response
The Record of Processing Activities (RoPA), required under Article 30 of the GDPR, is the internal tool that enables the company to respond accurately to an access request. Without an up-to-date RoPA, the company cannot know with certainty what data it processes, in which systems those data reside, for what purpose or how long they are retained.
This is why the RoPA and the data subject rights procedure go hand in hand: a well-maintained RoPA turns an access request into an orderly task; without it, each request becomes an improvised search that consumes time and creates the risk of incomplete responses.
At Summum Consultoría we support organisations in implementing internal procedures for managing data subject rights, including response templates, request logs and identity verification protocols tailored to the size and sector of each company.
Applicable penalty regime
Infringement of the right of access can have serious consequences. Article 83.5 of the GDPR, which covers the most serious infringements, includes violations of data subjects' rights as set out in Articles 12 to 22. Penalties may reach up to EUR 20,000,000 or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher.
The LOPDGDD (Ley Orgánica 3/2018, de 5 de diciembre — Spanish Organic Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights) adapts this framework to the Spanish legal system, with a graduated system that distinguishes very serious, serious and minor infringements, taking into account factors such as intent, the number of data subjects affected, the duration of the infringement and the due diligence demonstrated by the company.
It is worth noting that the AEPD may open proceedings both following a direct complaint by the data subject (art. 77 GDPR in conjunction with art. 64 LOPDGDD) and on its own initiative. In many enforcement cases related to data subject rights, the starting point has been a complaint from a customer or employee who did not receive a timely response or received an incomplete one.
Checklist for responding correctly
As a quick guide, these are the steps any company should follow upon receiving a request to exercise the right of access to personal data:
- Log the request with the date and time of receipt (the deadline starts running from that moment).
- Verify the identity of the requester in a proportionate manner.
- Locate all data the company processes about that individual, consulting the RoPA and the relevant systems.
- Assess whether any exception applies (manifestly unfounded or excessive request; restrictions due to third-party rights; professional secrecy).
- Draft the full response including all elements of Article 15.1 and 15.2 of the GDPR.
- Attach a copy of the data if expressly requested.
- Send the response through the appropriate channel before the one-month deadline expires.
- Document the entire process: receipt, verification, internal search, response and date of dispatch.
To broaden the regulatory context, it may also be useful to review the full overview of data subjects' rights under the GDPR, which provides an integrated view of access, rectification, erasure, portability and objection.
Frequently asked questions
Does the right of access require the company to hand over original documents or a copy?
Article 15.3 of the GDPR requires the controller to provide a copy of the personal data undergoing processing, not the original documents or all internal files. The company decides on the format of the copy (a PDF document, a structured report, a data file), provided it is intelligible and complete. The first copy is free of charge; for any additional copies, Article 15.3 allows a reasonable fee based on administrative costs.
Can an employee exercise the right of access against their own employer?
Yes. Employees are data subjects for all purposes under the GDPR, and the company acts as the controller of their data. The employee has the right to know what employment-related data the company processes about them: payslips, performance appraisals, working time records, health data related to occupational risk prevention, internal communications in which they appear as a data subject, etc. The company is obliged to respond within the same deadlines and conditions as for any other data subject.
Can the company refuse to respond if the data affects third parties?
Article 15.4 of the GDPR provides that the right of access must not adversely affect the rights and freedoms of others. This means that if the copy of the requester's data contains data relating to third parties (for example, a conversation in which other employees appear), the company may anonymise or redact the third-party data before providing the copy, but it cannot refuse the response in its entirety on this basis if it is possible to provide the information in a way that does not affect third parties.
What happens if the company fails to respond within one month?
If the company does not respond within the deadline set out in Article 12.3 of the GDPR, the data subject may lodge a complaint directly with the AEPD (art. 77 GDPR), which can open a rights protection procedure and, if the infringement is confirmed, refer the case to enforcement proceedings. Failure to respond is, in itself, an infringement of Article 12 of the GDPR. For this reason, even when the company is still gathering information internally, it is advisable to send an acknowledgement of receipt to the data subject confirming that the request has been received and is being handled within the legal deadline.